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DESCRIPTION 

MOBILE WIRELESS COMMUNICATION SYSTEM, MOBILE WIRELESS 
TERMINAL APPARATUS, VIRTUAL PRIVATE NETWORK RELAY 
5 APPARATUS AND CONNECTION AUTHENTICATION SERVER 



Technical Field 

[ 0001] The present invention relates to a mobile wireless 
communication system, mobile wireless terminal apparatus, 
10 virtual private network relay apparatus and connection 
authentication server to establish a communication path 
with high security in a mobile VPN connection environment 
such that access is made from a public network such as 
a public wireless LAN system to a private network. 

15 

Background Art 

[0002] In connection from a public network to a private 
network, IPsec technique has been standardized by IETF 
to establish a secure communication path. Supporting the 

20 IPsec technique is indispensable in IPv6. It is assumed 
that IPsec is applied to a mobile environment where a 
mobile wireless terminal apparatus is capable of moving 
between a public network and private network freely, and 
that the mobile wireless terminal apparatus connects to 

25 the private network from the public network. In this case, 
every time the mobile wireless terminal apparatus moves, 
an IP address usable in a moving-destination public 
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network is assigned by DHCP (Dynamic Host Configuration 
Protocol) and the like. In other words, the IP address 
varies with the moving destination of the mobile wireless 
terminal apparatus . 
5 [0003] For this reason, in a security gateway to which 
an IPsec tunnel that is set in the private network is 
established, since IP address of each moving destination 
is required to be known, it becomes difficult to implement 
an IPsec key exchange using an IP address of the mobile 

10 wireless terminal apparatus, and therefore, it is 
practically impossible to establish the IPsec tunnel by 
main mode. Accordingly, it becomes necessary to 

establish the IPsec tunnel by aggressive mode, and an 
IPsec user ID (ISAKAMPID Payload) is thus communicated 

15 between networks without being encrypted, resulting in 
degradation in security. 

[0004 ] Further, it is indispensable in IPsec to support 
a pre-shared secret key scheme to authenticate each other 
in both parties that establish the IPsec tunnel. However, 

20 the security deteriorates is concerned due to continuous 
use of a single pre-shared secret key. Then, it is 
considered that the pre-shared secret key is changed at 
regular time intervals to maintain the security, however, 
it imposes heavy loads on both a user and administrator. 

25 [0005] As a protocol to dynamically distribute a 
pre-shared secret key for use in authentication of IPsec, 
PIC (Pre-IKE Credential Provisioning Protocol) has been 
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proposed in IETF (Internet Engineering Task Force) (see 
Non-patent Document 1) . 

[0006] PIC establishes a secure communication path 
between a mobile wireless terminal apparatus and 
5 authentication server using ISAKMP (Internet Security 
Association and Key Management Protocol) that is also 
used in IPsec, and exchangees authentication information 
required for authentication in PIC to authenticate. When 
the authentication succeeds, the authentication server 

10 issues to the mobile wireless terminal apparatus 
authentication information (for example, pre-shared 
secret key and public key certificate) called a credential 
for use in subsequent authentication of IPsec. 
[Non-patent Document 1]"PIC, A Pre-IKE Credential 

15 Provisioning Protocol", draft-ietf-ipsra-pic-06.txt, 
http : / /www .ietf.org/internet-drafts/draft-ietf-ipsra 
-pic- 0 6.txt 

Disclosure of Invention 

20 

Problems to be Solved by the Invention 

[0007] When a mobile wireless terminal apparatus 
connects to a private network such as an intracompany 
network in a public network such as a public wireless 
25 LAN system, the mobile wireless terminal apparatus is 
considered establishing a secure communication path i.e. 
IPsec tunnel with the private network using IPsec. 
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[0008 ] However, in this case, when IPsec is applied to 
a mobile environment where a mobile wireless terminal 
apparatus is able to move between a public network and 
private network freely, an IP address of the mobile 
5 wireless terminal apparatus changes every time it moves, 
and it is thus difficult to exchange an IPsec key by IPsec 
main mode. For this reason, the IPsec tunnel should be 
established by an IPsec key exchange in aggressive mode, 
an IPsec user ID is thus communicated between networks 

10 without being encrypted, and a problem arises of resulting 
in degradation in security. 

[0009] Further, to establish the tunnel by key exchange 
of IPsec main mode, an IP address at a moving destination 
of the mobile wireless terminal apparatus needs to be 

15 known. However, an IP address is often assigned by DHCP 
in a public network such as a public wireless LAN system, 
and it is thus difficult to beforehand know the IP address 
of the mobile wireless terminal apparatus. If the IP 
address of the mobile wireless terminal apparatus in the 

20 public wireless LAN system is known, since a security 
policy needs to be described in each IP address in the 
public wireless LAN system, problems arise that the 
performance of the security gateway deteriorates, and 
that a load is imposed on administration of the 

25 administrator. 

[0010] Furthermore, when the pre-shared secret key 
system is applied as a mutual authentication system to 
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establish an IPsec tunnel, continuing to use a single 
pre-shared key results in a problem that the security 
deteriorates with time. Moreover, it is considered that 
the pre-shared key is changed at regular time intervals, 
5 but in this case, a problem arises that it imposes loads 
on both the user and administrator. 

[0011] In order to solve the above-mentioned problems, 
PIC has been proposed as a protocol to dynamically 
distribute a pre-shared secret key for use in 

10 authentication of IPsec. However, to use PIC, there is 
a problem that the PIC protocol function needs to be newly 
added to existing apparatuses. Further, when PIC is 
applied to IPsec tunnel establishment procedures, a 
mobile wireless terminal apparatus establishes the 

15 communication path by ISAKMP twice, i.e. establishes 
ISAKMP communication path between the mobile wireless 
terminal apparatus and connection authentication server 
by PIC, and establishes ISAKMP communication path between 
the mobile wireless terminal apparatus and security 

20 gateway, and the procedures are thus redundant, resulting 
in a problem that the time required to establish the IPsec 
channel becomes long. 

[0012] It is an object of the present invention to 
provide a mobile wireless communication system, mobile 

25 wireless terminal apparatus, virtual private network 
relay apparatus and connection authentication server 
capable of preventing deterioration in security, 
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eliminating the need of the specific operation of a user 
and administrator, and reducing the time required to 
establish an IPsec tunnel in a mobile VPN connection 
envi r onment . 

5 

Means for Solving the Problem 

[0013] A mobile wireless communication system 

according to the present invention has a public network, 
a private network and a public wireless LAN system, and 

10 employs a configuration comprising: a virtual private 
network relay apparatus which establishes an IPsec tunnel 
with a network relay apparatus installed on the private 
network via the public network, further establishes the 
IPsec tunnel with a mobile wireless terminal apparatus, 

15 and relays connection of the mobile wireless terminal 
apparatus from the public wireless LAN system to the 
private network, a connection authentication server that 
is installed on the public wireless LAN system and that 
authenticates connection of the mobile wireless terminal 

20 apparatus to the public wireless LAN system, and a wireless 
LAN access point that relays connection authentication 
procedures of the public wireless LAN performed between 
the mobile wireless terminal apparatus and the connection 
authentication server. 

25 

Advantageous Effect of the Invention 
[0014] According to the present invention, it is 
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possible to prevent deterioration in security, eliminate 
the need of the specific operation of a user and 
administrator, and reduce the time required to establish 
an IPsec tunnel in a mobile VPN connection environment. 

5 

Brief Description of Drawings 
[0015] 

FIG.l is a diagram illustrating the configuration 
of the mobile wireless communication system according 
10 to the embodiment of the present invention; 

FIG. 2 is a block diagram illustrating the 
configuration of the mobile wireless terminal apparatus 
according to the embodiment of the invention; 

FIG. 3 is a block diagram illustrating the 
15 configuration of the virtual private network relay 
apparatus according to the embodiment of the invention; 

FIG. 4 is a block diagram illustrating the 
configuration of the connection authentication server 
according to the embodiment of the invention; 
20 FIG. 5 is a block diagram illustrating the 

configuration of the wireless access point according to 
the embodiment of the invention; 

FIG. 6 is a block diagram illustrating the 
configuration of the home agent according to the 
25 embodiment of the invention; 

FIG. 7 is a sequence diagram to explain the mobile 
wireless communication system according to the embodiment 
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of the invention; 

FIG . 8 is a diagram to explain the EAPOL message format 
for use in the mobile wireless communication system 
"according to the embodiment of the invention; and 
5 FIG.9 is a diagram to explain the addr me s sage format 

for use in the mobile wireless communication system 
according to the embodiment of the invention. 

Best Mode for Carrying Out the Invention 
10 [0016] An embodiment of the present invention will 
specifically be described below with reference to 
accompanying drawings . 

( Embodiment ) 

15 As shown in FIG.l, mobile wireless communication 

system 100 according to the embodiment of the invention 
has public network 101, private network 102, public 
wireless LAN system 103, network relay apparatus 104, 
virtual private network relay apparatus 105, and home 

20 agent 106. Public wireless LAN system 103 has public 
wireless LAN 107, connection authentication server 108, 
wireless LAN access point 109 and a plurality of mobile 
wireless terminal apparatuses 110 (only one apparatus 
i s shown . ) 

25 [0017] Virtual private network relay apparatus 105 
statically establishes an IPsec tunnel with network relay 
apparatus 104 installed on private network 102 via public 
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network 101, and realizes secure communication between 
virtual private network relay apparatus 105 and private 
network 102. Further, virtual private network relay 
apparatus 105 establishes an IPsec tunnel with mobile 
5 wireless terminal apparatuses 110 existing in public 
wireless LAN system 103, and relays connection of mobile 
wireless terminal apparatuses 110 from public wireless 
LAN system 103 to private network 102. In addition, the 
IPsec tunnel between virtual private network relay 

10 apparatus 105 and mobile wireless terminal apparatus 110 
is dynamically established whenever the mobile wireless 
terminal apparatus 110 connects to public wireless LAN 
system 103, and further dynamically established whenever 
the mobile wireless terminal apparatus 110 requests the 

15 connection to private network 102. 

[0018] Connection authentication server 108 performs 
connection authentication of mobile wireless terminal 
apparatus 110 to public wireless LAN 107. At this point, 
wireless LAN access point 109 performs the function of 

20 relaying connection authentication procedures performed 
between mobile wireless terminal apparatus 110 and 
connection authentication server 108. 

[0019] FIG. 2 is a block diagram illustrating a 
configuration of mobile wireless terminal apparatus 110 

25 according to the embodiment of the invention. FIG. 3 is 
a block diagram illustrating a configuration of virtual 
private network relay apparatus 105 according to the 
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embodiment of the invention. FIG. 4 is a block diagram 
illustrating a configuration of connection 
authentication server 108 according to the embodiment 
of the invention. FIG. 5 is a block diagram illustrating 
5 a configuration of wireless LAN access point 109 according 
to the embodiment of the invention. FIG. 6 is a block 
diagram illustrating a configuration of home agent 106 
according to the embodiment of the invention. 
[0020] As shown in FIG. 2, mobile wireless terminal 

10 apparatus 110 has authentication processing section 201, 
address notifying section 202 , address acquiring section 
203, IPsec shared key acquiring section 204, IPsec key 
exchanging section 2 05, MIP shared key acquiring section 
20 6 and MIP registering section 2 07. In addition, mobile 

15 wireless terminal apparatus 110 has an apparatus (not 
shown) performing mobile wireless communication. 

[0021] As shown in FIG. 3, virtual private network relay 
apparatus 105 has address acquiring section 301, IPsec 
shared key acquiring section 302, and IPsec key exchanging 

20 section 303. As shown in FIG. 4, connection 

authentication server 108 has authentication processing 
section 401, address notifying section 402, address 
acquiring section 403, IPsec shared key distributing 
section 404, and MIP shared key distributing section 405. 

25 As shown in FIG. 5, wireless LAN access point 109 has 
authentication relay section 501 . As shown in FIG . 6, home 
agent 106 has MIP shared key acquiring section 601 and 
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MIP processing section 602. 

[ 0022 ] Next, procedures of a case where mobile wireless 
terminal apparatus 110 existing in public wireless LAN 
system 103 connects to private network 102 will be 
5 explained as an example. 

[0023] When mobile wireless terminal apparatus 110 
exists within a communication range of public wireless 
LAN system 103, to connect to public wireless LAN system 
103, authentication processing section 201 of mobile 

10 wireless terminal apparatus 110 transmits a connection 
request to authentication processing section 401 of 
connection authentication server 108 via authentication 
relay section 501 of wireless LAN access point 109. As 
a protocol to connect to public wireless LAN system 103, 

15 there may be 802. lx specified by IEEE (the Institute of 
Electrical and Electronics Engineers) and the like. 

[0024] For simplicity of the explanation, procedures 
of the case using 802. lx will be described below. In the 
framework of 802. lx, the EAP (Extensible Authentication 

20 Protocol) protocol is applied to between mobile wireless 
terminal apparatus 110 and wireless LAN access point 109. 
Further, the RADIUS (Remote Authentication Dial In User 
Service) protocol or the like is applied to between 
wireless LAN access point 109 and connection 

25 authentication server 108 . Wireless LAN access point 109 
has the bridge function of relaying protocols of both 
parties . 



2F04200-PCT 

[0025] Authentication processing section 401 of 
connection authentication server 108 first performs 
authentication of the connection request transmitted from 
authentication processing section 201 of mobile wireless 
5 terminal apparatus 110. The authentication is performed 
using various authentication systems such as EAP-MD5, 
EAP-TLS, EAP- LEAP or PEAP . Here, for simplicity of 
explanation, procedures of the case using EAP-TLS will 
be described. In EAP-TLS, mobile wireless terminal 

10 apparatus 110 and connection authentication server 108 
exchange an electronic certificate, thereby 
authenticating each other. 

[0026] Further, at the same time, mobile wireless 
terminal apparatus 110 and connection authentication 

15 server 108 exchange random numbers and perform 
computation processing using a pseudo random-number 
function or the like, thereby holding a master secret 
common to each other. Mobile wireless terminal apparatus 
110 and connection authentication server 108 generate 

20 PMK (Pairwise Master Key) from the master secret. Then, 
when connection authentication server 108 succeeds in 
authenticating mobile wireless terminal apparatus 110, 
mobile wireless terminal apparatus 110 and connection 
authentication server 108 encrypt a communication path 

25 between connection authentication server 108 and mobile 
wireless terminal apparatus 110 using the master secret. 
[0027] At this point, authentication relay section 501 
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of wireless LAN access point 109 serves as relaying the 
communication path, and therefore, it is possible to 
perform the secret communication between mobile wireless 
terminal apparatus 110 and connection authentication 
5 server 108. In other words, a secure communication path 
is established among authentication processing section 
201 of mobile wireless terminal apparatus 110, 
authentication relay section 501 of wireless LAN access 
point 109 and authentication processing section 401 of 

10 connection authentication server 108. Subsequently, 
unless otherwise specified, the communication among 
mobile wireless terminal apparatus 110, wireless LAN 
access point 109 and connection authentication server 
108 is performed using this secure communication path. 

15 [0028] Then, connection authentication server 108 
transmits PMK to wireless LAN access point 109 using the 
encrypted secure communication path. By this, Mobile 
wireless terminal apparatus 110 and wireless LAN access 
point 109 generate a WEP key from shared PMK, and encrypt 

20 a wireless communication domain communication path in 
public wireless LAN system 103 using the WEP key (step 
ST1 in FIG . 7 ) . 

[0029] Next, using the communication path encrypted by 
the master secret shared between mobile wireless terminal 
25 apparatus 110 and connection authentication server 108, 
an IP address of virtual private network relay apparatus 
105 is exchanged with an IP address of mobile wireless 
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terminal apparatus 110. Address notifying section 402 
of connection authentication server 108 transmits the 
IP address of virtual private network relay apparatus 
105 to address acquiring section 203 of mobile wireless 
5 terminal apparatus 110 via authentication relay section 
501 of wireless LAN access point 109. 

[0030] In addition, it is considered that connection 
authentication server 108 beforehand holds the IP address 
of virtual private network relay apparatus 105. Address 

10 acquiring section 203 of mobile wireless terminal 
apparatus 110 having received the IP address of virtual 
private network relay apparatus 105 outputs a signal to 
address notifying section 202. Address notifying 
section 202 having received the signal transmits an IP 

15 address assigned to the apparatus 110 to address acquiring 
section 403 of connection authentication server 108 via 
authentication relay section 501 of wireless LAN access 
point 109 (step ST 3 in FIG. 7). 
[0031] Further, in order for connection authentication 

20 server 108 and mobile wireless terminal apparatus 110 
to transmit and receive the IP address, the EAP protocol 
and EAPOL protocol are extended. In order for 

authentication processing section 401 of connection 
authentication server 108 and authentication relay 

25 section 501 of wireless LAN access point 109 to transmit 
and receive the IP address, EAP-IPADDR is newly defined 
in the message type of the EAP protocol. Then, 
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authentication processing section 401 of connection 
authentication server 108 transmits the IP address to 
authentication relay section 501 of wireless LAN access 
point 109, as an attribute value of the vendor specific 
5 field of the RADIUS protocol. 

[0032] Meanwhile, in order for authentication 

processing section 201 of mobile wireless terminal 
apparatus 110 and authentication relay section 501 of 
wireless LAN access point 109 to transmit and receive 

10 thelPaddress, EAPOL- I PADDRis newly defined in the packet 
type of the EAPOL protocol as shown in FIG. 8, and an addr 
format (FIG. 9) is added to notify the IP address as an 
attribute value. Reception of this EAPOL-IPADDR message 
indicates reception of the IP address of virtual private 

15 network relay apparatus 105 for mobile wireless terminal 
apparatus 110, while indicating reception of the IP 
address of mobile wireless terminal apparatus 110 for 
wireless LAN access point 109. 
[0033] Then, address notifying section 402 of 

20 connection authentication server 108 transmits the IP 
address of mobile wireless terminal apparatus 110 to 
address acquiring section 301 of virtual private network 
relay apparatus 105 (step ST 4 in FIG. 7). 
[0034] According to the above-mentioned procedures, 

25 mobile wireless terminal apparatus 110 and virtual 
private network relay apparatus 105 are capable of 
acquiring the IP address of the communicating party. Then, 
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using the acquired IP address, IPsec key exchanging 
section 205 of mobile wireless terminal apparatus 110 
and IPsec key exchanging section 303 of virtual private 
network relay apparatus 105 are capable of starting key 
5 exchange by IPsec main mode. 

[0035] Further, using the communication path encrypted 
by the master secret shared between mobile wireless 
terminal apparatus 110 and connection authentication 
server 108, connection authentication server 108 

10 distributes an IPsec pre-shared secret key for use in 
establishment of the IPsec tunnel performed between 
mobile wireless terminal apparatus 110 and virtual 
private network relay apparatus 105 to mobile wireless 
terminal apparatus 110 and virtual private network relay 

15 apparatus 105. Authentication processing section 401 of 
connection authentication server 108 transmits the IPsec 
pre-shared secret key to authentication relay section 
501 of wireless LAN access point 109. Authentication 
relay section 501 of wireless LAN access point 109 having 

20 received the IPsec pre-shared secret key transmits the 
IPsec pre-shared secret key to authentication processing 
section 201 of mobile wireless terminal apparatus 110 
without change (step ST 4 in FIG. 7) . 
[0036] In addition, in order for authentication 

25 processing section 401 of connection authentication 
server 108 to transmit the IPsec pre-shared secret key 
to authentication processing section 201 of mobile 
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wireless terminal apparatus 110, the EAP protocol and 
EAPOL protocol are extended. In order for authentication 
processing section 401 of connection authentication 
server 108 to transmit the IPsec pre-shared secret key 
5 to authentication relay section 501 of wireless LAN access 
point 109, EAP-IPSECKEY is newly defined in the message 
type of the EAP protocol. Then, the IPsec pre-shared 
secret key is transmitted as an attribute value of the 
vendor specific field of the RADIUS protocol. Meanwhile , 

10 in order for authentication relay section 501 of wireless 
LAN access point 109 to transmit the IPsec pre-shared 
secret key to authentication processing section 201 of 
mobile wireless terminal apparatus 110, a key 
distribution message of the EAPOL protocol is used. At 

15 this point, the IPsec pre-shared secret key is notified 
using a key field with the descriptor type of the key 
description format as IPsec. 

[0037] Then, IPsec shared key distributing section 404 
of connection authentication server 108 transmits the 

20 same IPsec pre-shared secret key as the IPsec pre-shared 
secret key transmitted to mobile wireless terminal 
apparatus 110 to IPsec shared key acquiring section 302 
of virtual private network relay apparatus 105. 
[0038] In addition, the communication path from 

25 connection authentication server 108 to virtual private 
network relay apparatus 105 statically establishes the 
IPsec tunnel and realizes a secure communication path 
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such that IPsec pre-shared secret key is not sniffed. 
Further, the IPsec pre-shared secret key held by 
connection authentication server 108 can be generated 
dynamically by connection authentication server 108, or 
5 can be received from another key generating server. 

[0039] According to the above-mentioned procedures, 
mobile wireless terminal apparatus 110 and virtual 
private network relay apparatus 105 share the same IPsec 
pre-shared secret key. Using the shared IPsec pre-shared 

10 secret key, IPsec key exchanging section 205 of mobile 
wireless terminal apparatus 110 and IPsec key exchanging 
section 303 of virtual private network relay apparatus 
105 start key exchange by IPsec main mode . When the IPsec 
pre-shared secret key, IP address and user ID described 

15 in the authentication request from IPsec key exchanging 
section 205 of mobile wireless terminal apparatus 110 
agree with the IPsec pre-shared secret key, IP address 
and user ID held in virtual private network relay apparatus 
105, IPsec key exchanging section 303 of virtual private 

20 network relay apparatus 105 permits authentication of 
mobile wireless terminal apparatus 110, and establishes 
the IPsec tunnel. 

[ 0040] Further, using the communication path encrypted 
by the master secret shared between mobile wireless 

25 terminal apparatus 110 and connection authentication 
server 108, connection authentication server 108 
transmits an MIP pre-shared secret key that mobile 



18 



2F04200-PCT 

wireless terminal apparatus 110 uses for registering to 
home agent 106, to mobile wireless terminal apparatus 
110. Authentication processing section 401 of 

connection authentication server 108 transmits the MIP 
5 pre-shared secret key to authentication relay section 
501 of wireless LAN access point 109. Authentication 
relay section 501 of wireless LAN access point 109 having 
received the MIP pre-shared secret key transmits the MIP 
pre-shared secret key to authentication processing 

10 section 201 of mobile wireless terminal apparatus 110. 

[0041] In addition, in order for authentication 
processing section 401 of connection authentication 
server 108 to transmit the MIP pre-shared secret key to 
authentication processing section 201 of mobile wireless 

15 terminal apparatus 110, the EAP protocol and EAPOL 
protocol are extended. In order for authentication 
processing section 401 of connection authentication 
server 108 to transmit the MIP pre-shared secret key to 
authentication relay section 501 of wireless LAN access 

20 point 109, EAP-MIPKEY is newly defined in the message 
type of the EAP protocol. Then, authentication 
processing section 401 of connection authentication 
server 108 transmits the MIP pre-shared secret key to 
authentication relay section 501 of wireless LAN access 

25 point 109 as an attribute value of the vendor specific 
field of the RADIUS protocol. 
[0042] Meanwhile, in order for authentication relay 

19 
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section 501 of wireless LAN access point 109 to transmit 
the MIP pre-shared secret key to authentication 
processing section 201 of mobile wireless terminal 
apparatus 110, a key distribution message of the EAPOL 
5 protocol is used. At this point, the MIP pre-shared 
secret key is notified using a key field with making the 
descriptor type of the key description format as MIP. 

[0043] Then, MIP shared key distributing section 405 
of connection authentication server 108 transmits the 

10 same MlPpre-shared secret key as the MlPpre-shared secret 
key transmitted to mobile wireless terminal apparatus 
110 and the IP address of mobile wireless terminal 
apparatus 110 to MIP shared key acquiring section 601 
of home agent 106 (step ST5 in FIG. 7). 

15 [ 0044 ] In addition, the communication path from 
connection authentication server 108 to home agent 106 
statically establishes the IPsec tunnel and realizes a 
secure communication path such that the MIP pre-shared 
secret key is not sniffed. Further, the MIP pre-shared 

20 secret key held by connection authentication server 108 
can be generated dynamically by connection authentication 
server 108, or can be received from another key generating 
server . 

[0045] According to the above-mentioned procedures, 
25 mobile wireless terminal apparatus 110 and home agent 
106 share the same MIP pre-shared secret key. MIP 
registering section 207 of mobile wireless terminal 
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apparatus 110 makes a mobile IP registration (Binding 
Update) to MIP processing section 602 of home agent 106, 
using the MIP pre-shared key. When the MIP pre-shared 
secret key and SPI described in the authentication field 
5 of the mobile IP registration message from MIP registering 
section 207 of mobile wireless terminal apparatus 110 
agree with the MIP pre-shared secret key and SPI held 
in home agent 106, MIP processing section 602 of home 
agent 106 permits authentication of the mobile IP 

10 registration of mobile wireless terminal apparatus 110. 
In addition, the IPsec tunnel is already established 
between mobile wireless terminal apparatus 110 and 
virtual private network relay apparatus 105, and the 
communication path is thereby secure between mobile 

15 wireless terminal apparatus 110 and home agent 106. 

[ 0046] Thus, according to the embodiment of the present 
invention, in a mobile VPN connection environment such 
that mobile wireless terminal apparatus 110 connects to 
a private network from a public network such as public 

20 wireless LAN system 103, it is possible to establish an 
IPsec tunnel by IPsec main mode. Further, according to 
the embodiment of the invention, it is possible to 
dynamically update an IPsec pre-shared key and MIP 
pre-shared key every time mobile wireless terminal 

25 apparatuses 110 access to public wireless LAN system 103. 
Hence, according to the embodiment of the invention, it 
is possible to prevent deterioration in security, 
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eliminate the need of the specific operation of a user 
and administrator, and reduce the time required to 
establish an IPsec tunnel in a mobile VPN connection 
envi r onment . 

5 [0047] A mobile wireless communication system 

according to a first aspect of the present invention a 
public network, a private network and a public wireless 
LAN system, and employs a configuration comprising: a 
virtual private network relay apparatus which establishes 

10 an IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with a mobile wireless 
terminal apparatus and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 

15 system to the private network, a connection 
authentication server that is installed on the public 
wireless LAN system and authenticates connection of the 
mobile wireless terminal apparatus to the public wireless 
LAN system, and a wireless LAN access point that relays 

20 connection authentication procedures of a public wireless 
LAN performed between the mobile wireless terminal 
apparatus and the connection authentication server. 
[0048] According to this configuration, the mobile 
wireless terminal apparatus can acquire the IP address 

25 of the virtual private network relay apparatus and the 
virtual private network relay apparatus can acquire the 
IP address of the mobile wireless terminal apparatus, 
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so that the mobile wireless terminal apparatus and the 
virtual private network relay apparatus can start key 
exchange by IPsec main mode using IP addresses of 
respective parties, and it is thereby possible to prevent 
5 deterioration in security, and a specific operation of 
the user and administrator is not required. Further, 
according to this configuration, the IP address is 
transmitted using the secure communication path 
established by connection authentication procedures in 

10 the mobile wireless terminal apparatus and connection 
authentication server, so that a secure communication 
path to distribute the IP address does not need to be 
newly established, and it is thus possible to reduce the 
time required to establish the IPsec tunnel in the mobile 

15 VPN connection environment. 

[0049] A mobile wireless terminal apparatus according 
to a second aspect of the invention is a mobile wireless 
terminal apparatus in a mobile wireless communication 
system which has a public network, a private network and 

20 a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with the mobile wireless 

25 terminal apparatus and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 
system to the private network, a connection 
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authentication server that is installed on the public 
wireless LAN system and authenticates connection of the 
mobile wireless terminal apparatus to the public wireless 
LAN system, and a wireless LAN access point that relays 
5 connection authentication procedures of a public wireless 
LAN performed between the mobile wireless terminal 
apparatus and the connection authentication server, and 
employs a configuration comprising: 

an authentication processing section that performs 
10 authentication processing of connection to the public 
wireless LAN system to the connection authentication 
server, an address acquiring section that acquires an 
IP address of the virtual private network relay apparatus 
from the connection authentication server when the 
15 connection to the public wireless LAN system is permitted, 
an address notifying section that notifies an IP address 
of the mobile wireless terminal apparatus to the 
connection authentication server, and an IPsec key 
exchanging section that performs an IPsec key exchange 
20 with the virtual private network relay apparatus using 
the IP address of the virtual private network relay 
apparatus . 

[0050] According to this configuration, the mobile 
wireless terminal apparatus can acquire the IP address 
25 of the virtual private network relay apparatus and the 
virtual private network relay apparatus can acquire the 
IP address of the mobile wireless terminal apparatus, 
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so that the mobile wireless terminal apparatus and the 
virtual private network relay apparatus can start key 
exchange by IPsec main mode using IP addresses of 
respective parties, and it is thereby possible to prevent 
5 deterioration in security, and a specific operation of 
the user and administrator is not required. Further, 
according to this configuration, the IP address is 
transmitted using the secure communication path 
established by connection authentication procedures in 

10 the mobile wireless terminal apparatus and connection 
authentication server, so that a secure communication 
path to distribute the IP address does not need to be 
newly established, and it is thus possible to reduce the 
time required to establish the IPsec tunnel in the mobile 

15 VPN connection environment. 

[0051] A mobile wireless terminal apparatus according 
to a third aspect of the invention is a mobile wireless 
terminal apparatus in a mobile wireless communication 
system which has a public network, a private network and 

20 a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with the mobile wireless 

25 terminal apparatus, and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 
system to the private network, a connection 
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authentication server that is installed on the public 
wireless LAN system and authenticates connection of the 
mobile wireless terminal apparatus to the public wireless 
LAN system, and a wireless LAN access point that relays 
5 connection authentication procedures of a public wireless 
LAN performed between the mobile wireless terminal 
apparatus and the connection authentication server, and 
employs a configuration comprising: 

an authentication processing section that performs 

10 authentication processing of connection to the public 
wireless LAN system to the connection authentication 
server, an IPsec shared key acquiring section that 
acquires an IPsec pre-shared secret key for use in the 
IPsec key exchange performed with the virtual private 

15 network relay apparatus from the connection 
authentication server when the connection to the public 
wireless LAN system is permitted, and an IPsec key 
exchanging section that performs the IPsec key exchange 
with the virtual private network relay apparatus using 

20 the IPsec pre-shared secret key. 

[0052] According to this configuration, the mobile 
wireless terminal apparatus and the virtual private 
network relay apparatus can acquire the same IPsec 
pre-shared secret key, and update the IPsec pre-shared 

25 secret key every time when the mobile wireless terminal 
apparatus connects to the public wireless LAN system, 
so that deterioration in security can be prevented and 
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a specific operation of the user and administrator is 
not required. Further, according to this configuration, 
the IPsec pre-shared secret key is transmitted using the 
secure communication path established by connection 
5 authentication procedures in the mobile wireless terminal 
apparatus and connection authentication server, so that 
a secure communication path to distribute the IPsec 
pre-shared secret key does not need to be newly established, 
and it is thus possible to reduce the time required to 
10 establish the IPsec tunnel in the mobile VPN connection 
environment . 

[0053] A mobile wireless terminal apparatus according 
to a fourth aspect of the invention is a mobile wireless 
terminal apparatus in a mobile wireless communication 

15 system which has a public network, a private network and 
a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 

20 establishes the IPsec tunnel with the mobile wireless 
terminal apparatus, and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 
system to the private network, a home agent that controls 
moving of the mobile wireless terminal apparatus, a 

25 connection authentication server that is installed on 
the public wireless LAN system and authenticates 
connection of the mobile wireless terminal apparatus to 
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the public wireless LAN system, and a wireless LAN access 
point that relays connection authentication procedures 
of a public wireless LAN performed between the mobile 
wireless terminal apparatus and the connection 
5 authentication server, and employs a configuration 
comprising: an authentication processing section that 
performs authentication processing of connection to the 
public wireless LAN system to the connection 
authentication server, an MIP shared key acquiring 

10 section that acquires a pre-shared secret key for use 
in mobile IP registration made with the home agent from 
the connection authentication server when the connection 
to the public wireless LAN system is permitted, and an 
MIP registering section that makes the mobile IP 

15 registration to the home agent using the pre-shared secret 
key . 

[0054] According to this configuration, the mobile 
wireless terminal apparatus and the home agent can acquire 
the same MIP pre-shared secret key, and update the MIP 

20 pre-shared secret key every time when the mobile wireless 
terminal apparatus connects to the public wireless LAN 
system, so that deterioration in security can be prevented 
and a specific operation of the user and administrator 
is not required. Further, the MIP pre-shared secret key 

25 is transmitted using the secure communication path 
established by connection authentication procedures in 
the mobile wireless terminal apparatus and connection 
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authentication server, so that a secure communication 
path to distribute the MIP pre-shared secret key does 
not to be newly established, and it is thus possible to 
reduce the time required to establish the IPsec tunnel 
5 in the mobile VPN connection environment. 

[0055] A mobile wireless terminal apparatus according 
to a fifth aspect of the invention is a mobile wireless 
terminal apparatus in a mobile wireless communication 
system which has a public network, a private network and 

10 a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with the mobile wireless 

15 terminal apparatus, and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 
system to the private network, a home agent that controls 
moving of the mobile wireless terminal apparatus, a 
connection authentication server that is installed on 

20 the public wireless LAN system and that authenticates 
connection of the mobile wireless terminal apparatus to 
the public wireless LAN system, and a wireless LAN access 
point that relays connection authentication procedures 
of a public wireless LAN performed between the mobile 

25 wireless terminal apparatus and the connection 
authentication server, and employs a configuration 
comprising: an authentication processing section that 
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performs authentication processing of connection to the 
public wireless LAN system to the connection 
authentication server, an address acquiring section that 
acquires an IP address of the virtual private network 
5 relay apparatus from the connection authentication server 
when the connection to the public wireless LAN system 
is permitted, an address notifying section that notifies 
an IP address of the mobile wireless terminal apparatus 
to the connection authentication server, an IPsec shared 

10 key acquiring section that acquires an IPsec pre-shared 
secret key for use in IPsec key exchange performed with 
the virtual private network relay apparatus from the 
connection authentication server, an MIP shared key 
acquiring section that acquires an MIP pre-shared secret 

15 key for use in mobile IP registration made with the home 
agent from the connection authentication server, an IPsec 
key exchanging section that performs the IPsec key 
exchange with the virtual private network relay apparatus 
using the IP address of the virtual private network relay 

20 apparatus and the IPsec pre-shared secret key, and an 
MIP registering section that makes the mobile IP 
registration to the home agent using the MIP pre-shared 
secret key. 

[0056] According to this configuration, the mobile 
25 wireless terminal apparatus can acquire the IP address 
of the virtual private network relay apparatus, and the 
virtual private network relay apparatus can acquire the 
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IP address of the mobile wireless terminal apparatus, 
so that both apparatuses can start key exchange by IPsec 
main mode using IP addresses of respective parties, and 
the mobile wireless terminal apparatus and the virtual 
5 private network relay apparatus can acquire the same IPsec 
pre-shared secret key, and it is possible to update the 
IPsec pre-shared secret key every time when the mobile 
wireless terminal apparatus connects to the public 
wireless LAN system. Further, according to this 

10 configuration, the mobile wireless terminal apparatus 
and the home agent can acquire the same MIP pre-shared 
secret key, and update the MIP pre-shared secret key 
whenever the mobile wireless terminal apparatus connects 
to the public wireless LAN system. It is thereby possible 

15 to prevent deterioration in security, and specific 
operation of the user and administrator is not required. 

[0057] Moreover, according to this configuration, the 
IP address , IPsec pre-shared secret key and MIP pre-shared 
secret key are transmitted using the secure communication 

20 path established by connection authentication procedures 
in the mobile wireless terminal apparatus and connection 
authentication server, a secure communication path to 
distribute them does not need to be newly established, 
and it is thus possible to reduce the time required to 

25 establish the IPsec tunnel in the mobile VPN connection 
envi ronment . 

[0058] A virtual private network relay apparatus 
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according to a sixth aspect of the invention is a virtual 
private network relay apparatus in a mobile wireless 
communication system which has a public network, a private 
network and a public wireless LAN system and comprises 
5 the virtual private network relay apparatus which 
establishes an IPsec tunnel with a network relay apparatus 
installed on the private network via the public network, 
further establishes the IPsec tunnel with a mobile 
wireless terminal apparatus, and relays connection of 

10 the mobile wireless terminal apparatus from the public 
wireless LAN system to the private network, a connection 
authentication server that is installed on the public 
wireless LAN system and authenticates connection of the 
mobile wireless terminal apparatus to the public wireless 

15 LAN system, and a wireless LAN access point that relays 
connection authentication procedures of a public wireless 
LAN performed between the mobile wireless terminal 
apparatus and the connection authentication server, and 
employs a configuration compr is ing : 

20 an address acquiring section that receives an IP address 
of the mobile wireless terminal apparatus from the 
connection authentication server, and an IPsec key 
exchanging section that performs an IPsec key exchange 
with the mobile wireless terminal apparatus using the 

25 IP address of the mobile wireless terminal apparatus. 
[0059] According to this configuration, the virtual 
private network relay apparatus can acquire the IP address 
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of the mobile wireless terminal apparatus, and thereby 
can start key exchange by IPsec main mode using IP address, 
so that deterioration in security can be prevented and 
specific operation of the user and administrator, and 
5 it is possible to reduce the time required to establish 
the IPsec tunnel in the mobile VPN connection environment . 

[0060] A virtual private network relay apparatus 
according to a seventh aspect of the invention is a virtual 
private network relay apparatus in a mobile wireless 

10 communication system which has a public network, a private 
network and a public wireless LAN system and comprises 
the virtual private network relay apparatus which 
establishes an IPsec tunnel with a network relay apparatus 
installed on the private network via the public network, 

15 further establishes the IPsec tunnel with a mobile 
wireless terminal apparatus, and relays connection of 
the mobile wireless terminal apparatus from the public 
wireless LAN system to the private network, a connection 
authentication server that is installed on the public 

20 wireless LAN system and authenticates connection of the 
mobile wireless terminal apparatus to the public wireless 
LAN system, and a wireless LAN access point that relays 
connection authentication procedures of a public wireless 
LAN performed between the mobile wireless terminal 

25 apparatus and the connection authentication server, and 
employs a configuration comprising an IPsec shared key 
acquiring section that acquires a pre-shared secret key 
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for use in an IPsec key exchange performed with the mobile 
wireless terminal apparatus from the connection 
authentication server, and an IPsec key exchanging 
section that performs the IPsec key exchange with the 
5 mobile wireless terminal apparatus using the pre-shared 
secret key . 

[0061] According to this configuration, the mobile 
wireless terminal apparatus and the virtual private 
network relay apparatus can acquire the same IPsec 

10 pre-shared secret key, and update the IPsec pre-shared 
secret key every time when the mobile wireless terminal 
apparatus connects to the public wireless LAN system, 
so that prevent deterioration in security can be prevented 
and specific operation of the user and administrator is 

15 required, and it is possible to reduce the time required 
to establish the IPsec tunnel in the mobile VPN connection 
envi ronment . 

[0062] A virtual private network relay apparatus 
according to an eighth aspect of the invention is a virtual 

20 private network relay apparatus in a mobile wireless 
communication system which has a public network, a private 
network and a public wireless LAN system and comprises 
the virtual private network relay apparatus which 
establishes an IPsec tunnel with a network relay apparatus 

25 installed on the private network via the public network, 
further establishes the IPsec tunnel with a mobile 
wireless terminal apparatus, and relays connection of 
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the mobile wireless terminal apparatus from the public 
wireless LAN system to the private network, a connection 
authentication server that is installed on the public 
wireless LAN system and authenticates connection of the 
5 mobile wireless terminal apparatus to the public wireless 
LAN system, and a wireless LAN access point that relays 
connection authentication procedures of a public wireless 
LAN performed between the mobile wireless terminal 
apparatus and the connection authentication server, and 

10 employs a configuration comprising an address acquiring 
section that receives an IP address of the mobile wireless 
terminal apparatus from the connection authentication 
server, an IPsec shared key acquiring section that 
receives a pre-shared secret key for use in an IPsec key 

15 exchange performed with the mobile wireless terminal 
apparatus from the connection authentication server, and 
an IPsec key exchanging section that performs exchange 
of the IPsec key with the mobile wireless terminal 
apparatus using the IP address of the mobile wireless 

20 terminal apparatus and the pre-shared secret key. 

[0063] According to this configuration, the virtual 
private network relay apparatus can acquire the IP address 
of the mobile wireless terminal apparatus, and thereby 
can start key exchange by IPsec main mode using IP address . 

25 Further, according to this configuration, the mobile 
wireless terminal apparatus and the virtual private 
network relay apparatus can acquire the same IPsec 
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pre-shared secret key, and update the IPsec pre-shared 
secret key every time when the mobile wireless terminal 
apparatus connects to the public wireless LAN system. 
It is thus possible to prevent deterioration in security, 
5 specific operation of the user and administrator is not 
required, and it is possible to reduce the time required 
to establish the IPsec tunnel in the mobile VPN connection 
envi r onment . 

[0064] A connection authentication server according to 

10 a ninth aspect of the invention is a connection 
authentication server in a mobile wireless communication 
system which has a public network, a private network and 
a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 

15 IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with a mobile wireless 
terminal apparatus and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 

20 system to the private network, the connection 
authentication server that is installed on the public 
wireless LAN system and that authenticates connection 
of the mobile wireless terminal apparatus to the public 
wireless LAN system, and a wireless LAN access point that 

25 relays connection authentication procedures of a public 
wireless LAN performed between the mobile wireless 
terminal apparatus and the connection authentication 
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server, and employs a configuration comprising an 
authentication processing section that authenticates 
connection of the mobile wireless terminal apparatus to 
the public wireless LAN system, an address acquiring 
5 section that receives an IP address of the mobile wireless 
terminal apparatus from the mobile wireless terminal 
apparatus when permitting the connection of the mobile 
wireless terminal apparatus to the public wireless LAN 
system, and an address notifying section that notifies 

10 an IP address of the virtual private network relay 
apparatus to the mobile wireless terminal apparatus and 
notifies the IP address of the mobile wireless terminal 
apparatus to the virtual private network relay apparatus . 
[0065] According to this configuration, the mobile 

15 wireless terminal apparatus can acquire the IP address 
of the virtual private network relay apparatus, and the 
virtual private network relay apparatus can acquire the 
IP address of the mobile wireless terminal apparatus, 
so that the mobile wireless terminal apparatus and the 

20 virtual private network relay apparatus can start key 
exchange by IPsec main mode using IP addresses of 
respective parties and it is thereby possible to prevent 
deterioration in security, and specific operation of the 
user and administrator is not required. Further, 

25 according to this configuration, the IP address is 
transmitted using the secure communication path 
established by connection authentication procedures in 
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the mobile wireless terminal apparatus and connection 
authentication server, so that a secure communication 
path to distribute the IP address does not need to be 
newly established, and it is thus possible to reduce the 
5 time required to establish the IPsec tunnel in the mobile 
VPN connection environment . 

[ 0066] A connection authentication server according to 
a tenth aspect of the invention is a connection 
authentication server in a mobile wireless communication 

10 system which has a public network, a private network and 
a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 

15 establishes the IPsec tunnel with a mobile wireless 
terminal apparatus and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 
system to the private network, the connection 
authentication server that is installed on the public 

20 wireless LAN system and that authenticates connection 
of the mobile wireless terminal apparatus to the public 
wireless LAN system, and a wireless LAN access point that 
relays connection authentication procedures of a public 
wireless LAN performed between the mobile wireless 

25 terminal apparatus and the connection authentication 
server, and employs a configuration comprising an 
authentication processing section that authenticates 
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connection of the mobile wireless terminal apparatus to 
the public wireless LAN system, and an IPsec shared key 
distributing section that distributes a pre-shared secret 
key, for use in an IPsec key exchange performed between 
5 the mobile wireless terminal apparatus and the virtual 
private network relay apparatus, to the mobile wireless 
terminal apparatus and the virtual private network relay 
apparatus when permitting the connection of the mobile 
wireless terminal apparatus to the public wireless LAN 
10 system. 

[0067] According to this configuration, the mobile 
wireless terminal apparatus and the virtual private 
network relay apparatus can acquire the same IPsec 
pre-shared secret key, and update the IPsec pre-shared 

15 secret key every time when the mobile wireless terminal 
apparatus connects to the public wireless LAN system, 
so that deterioration in security can be prevented and 
specific operation of the user and administrator is not 
required. Further, according to this configuration , the 

20 IPsec pre-shared secret key is transmitted using the 
secure communication path established by connection 
authentication procedures in the mobile wireless terminal 
apparatus and connection authentication server, a secure 
communication path to distribute the IPsec pre-shared 

25 secret key does not need to be newly established, and 
it is thus possible to reduce the time required to establish 
the IPsec tunnel in the mobile VPN connection environment . 
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[ 0068 ] A connection authentication server according to 
an eleventh aspect of the invention is a connection 
authentication server in a mobile wireless communication 
system which has a public network, a private network and 
5 a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with a mobile wireless 

10 terminal apparatus and relays connection of the mobile 
wireless terminal apparatus from the public wireless LAN 
system to the private network, a home agent that controls 
moving of the mobile wireless terminal apparatus, the 
connection authentication server that is installed on 

15 the public wireless LAN system and authenticates 
connection of the mobile wireless terminal apparatus to 
the public wireless LAN system, and a wireless LAN access 
point that relays connection authentication procedures 
of a public wireless LAN performed between the mobile 

20 wireless terminal apparatus and the connection 
authentication server, and employs a configuration 
comprising an authentication processing section that 
authenticates connection of the mobile wireless terminal 
apparatus to the public wireless LAN system, and an MIP 

25 shared key distributing section that distributes a 
pre-shared secret key, for use in mobile IP registration 
performed between the mobile wireless terminal apparatus 
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and the home agent, to the mobile wireless terminal 
apparatus and the home agent when permitting the 
connection of the mobile wireless terminal apparatus to 
the public wireless LAN system. 
5 [0069] According to this configuration, the mobile 
wireless terminal apparatus and the home agent can acquire 
the same MIP pre-shared secret key, and update the MIP 
pre-shared secret key every time when the mobile wireless 
terminal apparatus connects to the public wireless LAN 

10 system, so that deterioration in security can be prevented 
and specific operation of the user and administrator is 
not required. Further, according to this configuration, 
the MIP pre-shared secret key is transmitted using the 
secure communication path established by connection 

15 authentication procedures in the mobile wireless terminal 
apparatus and connection authentication server, so that 
a secure communication path to distribute the MIP 
pre-shared secret key does not need to be newly established, 
and it is thus possible to reduce the time required to 

20 establish the IPsec tunnel in the mobile VPN connection 
environment . 

[0070] A connection authentication server according to 
a twelfth aspect of the invention is a connection 
authentication server in a mobile wireless communication 
25 system which has a public network, a private network and 
a public wireless LAN system and comprises a virtual 
private network relay apparatus which establishes an 
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IPsec tunnel with a network relay apparatus installed 
on the private network via the public network, further 
establishes the IPsec tunnel with a mobile wireless 
terminal apparatus and relays connection of the mobile 
5 wireless terminal apparatus from the public wireless LAN 
system to the private network, a home agent that controls 
moving of the mobile wireless terminal apparatus, the 
connection authentication server that is installed on 
the public wireless LAN system and authenticates 

10 connection of the mobile wireless terminal apparatus to 
the public wireless LAN system, and a wireless LAN access 
point that relays connection authentication procedures 
of a public wireless LAN performed between the mobile 
wireless terminal apparatus and the connection 

15 authentication server, and employs a configuration 
comprising an authentication processing section that 
authenticates connection of the mobile wireless terminal 
apparatus to the public wireless LAN system, an address 
acquiring section that receives an IP address of the mobile 

20 wireless terminal apparatus from the mobile wireless 
terminal apparatus when permitting the connection of the 
mobile wireless terminal apparatus to the public wireless 
LAN system, an address notifying section that notifies 
an IP address of the virtual private network relay 

25 apparatus to the mobile wireless terminal apparatus and 
notifies the IP address of the mobile wireless terminal 
apparatus to the virtual private network relay apparatus, 
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an IPsec shared key distributing section that distributes 
an IPsec pre-shared secret key, for use in an IPsec key 
exchange performed between the mobile wireless terminal 
apparatus and the virtual private network relay apparatus, 
5 to the mobile wireless terminal apparatus and the virtual 
private network relay apparatus, and an MIP shared key 
distributing section that distributes an MIP pre-shared 
secret key, for use in mobile IP registration performed 
between the mobile wireless terminal apparatus and the 

10 home agent, to the mobile wireless terminal apparatus 
and the home agent . 

[0071] According to this configuration, the mobile 
wireless terminal apparatus can acquire the IP address 
of the virtual private network relay apparatus and the 

15 virtual private network relay apparatus can acquire the 
IP address of the mobile wireless terminal apparatus, 
so that the mobile wireless terminal apparatus and the 
virtual private network relay apparatus can start 
establishing the tunnel by IPsec main mode using IP 

20 addresses of respective parties. Further, according to 
this configuration, the mobile wireless terminal 
apparatus and the virtual private network relay apparatus 
can acquire the same IPsec pre-shared secret key, and 
update the IPsec pre-shared secret key every time when 

25 the mobile wireless terminal apparatus connects to the 
public wireless LAN system. 

Furthermore, according to this configuration, the mobile 
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wireless terminal apparatus and the home agent can acquire 
the same MIP pre-shared secret key, and. update the MIP 
pre-shared secret key every time when the mobile wireless 
terminal apparatus connects to the public wireless LAN 
5 system. It is thereby possible to prevent deterioration 
in security and specific operation of the user and 
administrator is not required. 

[0072] Moreover, according to this configuration, the 
IP address, IPsec pre-shared secret key andMIP pre-shared 

10 secret key are transmitted using the secure communication 
path established by connection authentication procedures 
in the mobile wireless terminal apparatus and connection 
authentication server, so that a secure communication 
path to distribute them does not need to be newly 

15 established, and it is thus possible to reduce the time 
required to establish the IPsec tunnel in the mobile VPN 
connection environment . 

[0073] A wireless LAN access point according to a 
thirteenth aspect of the invention is a wireless LAN access 

20 point in a mobile wireless communication system which 
has a public network, a private network and a public 
wireless LAN system and comprises a virtual private 
network relay apparatus which establishes an IPsec tunnel 
with a network relay apparatus installed on the private 

25 network via the public network, further establishes the 
IPsec tunnel with a mobile wireless terminal apparatus 
and 
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relays connection of the mobile wireless terminal 
apparatus from the public wireless LAN system to the 
private network, a home agent that controls moving of 
the mobile wireless terminal apparatus, a connection 
5 authentication server that is installed on the public 
wireless LAN system and authenticates connection of the 
mobile wireless terminal apparatus to the public wireless 
LAN system, and the wireless LAN access point that relays 
connection authentication procedures of a public wireless 

10 LAN performed between the mobile wireless terminal 
apparatus and the connection authentication server, and 
employs a configuration comprising an authentication 
relay section that transmits to the mobile wireless 
terminal apparatus an IP address, an IPsec pre-shared 

15 key and a Mobile IP pre-shared key transmitted from the 
connection authentication server and transmits an IP 
address transmitted from the mobile wireless terminal 
apparatus to the connection authentication server, using 
a secure communication path established in the connection 

20 authentication procedures of the public wireless LAN 
performed between the mobile wireless terminal apparatus 
and the connection authentication server. 
[0074] According to this configuration, the mobile 
wireless terminal apparatus can acquire the IP address 

25 of the virtual private network relay apparatus and the 
virtual private network relay apparatus can acquire the 
IP address of the mobile wireless terminal apparatus, 



45 



2F04200-PCT 

so that the mobile wireless terminal apparatus and the 
virtual private network relay apparatus can start key 
exchange by IPsec main mode using IP addresses of 
respective parties. Further, according to this 

5 configuration, the mobile wireless terminal apparatus 
and the virtual private network relay apparatus can 
acquire the same IPsec pre-shared secret key, and update 
the IPsec pre-shared secret key every time when the mobile 
wireless terminal apparatus connects to the public 

10 wireless LAN system. It is thereby possible to prevent 
deterioration in security and specific operation of the 
user and administrator is not required. 

[0075] Moreover, according to this configuration, the 
IPaddress, IPsecpre-shared secret key andMIPpre-shared 

15 secret key are transmitted using the secure communication 
path established by connection authentication procedures 
in the mobile wireless terminal apparatus and connection 
authentication server, so that a secure communication 
path to distribute them does not need to be newly 

20 established, and it is thus possible to reduce the time 
required to establish the IPsec tunnel in the mobile VPN 
connection environment . 

[0076] A home agent according to a fourteenth aspect of 
the invention is a home agent in a mobile wireless 
25 communication system which has a public network, a private 
network and a public wireless LAN system and comprises 
a virtual private network relay apparatus which 
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establishes an IPsec tunnel with a network relay apparatus 
installed on the private network via the public network, 
further establishes the IPsec tunnel with a mobile 
wireless terminal apparatus and relays connection of the 
5 mobile wireless terminal apparatus from the public 
wireless LAN system to the private network, the home agent 
that controls moving of the mobile wireless terminal 
apparatus, a connection authentication server that is 
installed on the public wireless LAN system and 

10 authenticates connection of the mobile wireless terminal 
apparatus to the public wireless LAN system, and a wireless 
LAN access point that relays connection authentication 
procedures of a public wireless LAN performed between 
the mobile wireless terminal apparatus and the connection 

15 authentication server, and employs a configuration 
comprising an MIP shared key acquiring section that 
receives a pre-shared secret key for use in mobile IP 
registration of the mobile wireless terminal apparatus 
from the connection authentication server, and an MIP 

20 processing section that processes the mobile IP 
registration from the mobile wireless terminal apparatus 
using the pre-shared secret key. 

[0077] According to this configuration, the home agent 
can acquire the MIP pre-shared secret key, and update 

25 the MIP pre-shared secret key every time when the mobile 
wireless terminal apparatus connects to the public 
wireless LAN system, so that deterioration in security 
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can be prevented, and specific operation of the user and 
administrator is not required and it is possible to reduce 
the time required to establish the IPsec tunnel in the 
mobile VPN connection environment. 

[0078] The present application is based on Japanese 
Patent Application No . 2 0 0 4 - 0 0 8 5 0 7 filed on January 15, 
2004, entire content of which is expressly incorporated 
by reference herein. 

Indus trial Appl i cabil i t y 

[0079] The present invention is suitable for a mobile 
wireless communication system that provides a mobile VPN 
environment such that mobile wireless terminal 
apparatuses gain access to private networks from a public 
wireless LAN system via a public network. 
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